When the directory authenticates a database user, TDGSS searches for user information in the directory based on the directory username specified in the logon. Directories use distinguished names (DNs) to uniquely name each directory user object, for example:
However, requiring users to enter the entire DN can result in logon errors. In addition, the database may be able to log only part of the DN, due to object name length limitations.
To avoid having to enter the entire DN, it is common practice to allow users to specify the simple form of the username in a logon string, for example:
The authentication process links the simple username to the DN in the directory.
Although it is generally good practice, allowing the use of simple usernames in the database logon string can present problems:
- Some directories do not allow a simple username in the logon string and force users to enter the entire DN at logons.
- Directories that do allow simple usernames may not efficiently bind them to the correct DNs.